What’s next in consumer data breach litigation? Minimizing the risk

In this series of articles, we examined the challenges plaintiffs historically encountered in bringing privacy and data breach claims, and the recent attempts by plaintiffs’ counsel to overcome these obstacles by casting claims under alternate legal theories. In this final installment we now examine the impact these emerging trends may have on companies and how their own end-user agreements and privacy policies might, unintentionally, create an opening for similar claims.

As we have seen, plaintiffs recently achieved some success by framing their data breach claims in common law misrepresentation and related legal theories. For instance, in the Sony Gaming Network case, the plaintiffs alleged that Sony’s privacy policy and end-user agreements misrepresented the steps Sony would take to secure customers’ personal information by using industry-standard encryption to prevent unauthorized access to sensitive financial information. Upon review, the Sony court held that misrepresentation claims passed legal muster under California state law and allowed them to proceed. It further observed that, although Sony disclaimed the ability to provide “perfect security,” there was an issue of fact regarding plaintiff’s allegation that “Sony’s representations regarding ‘reasonable security’ were deceptive, in light of Sony’s additional representations regarding ‘industry-standard’ encryption.”

Similarly, in the LinkedIn data breach case, misrepresentation claims survived based on allegations that plaintiff “purchased her premium subscription on the basis of LinkedIn’s statement that its users’ data will be secured with industry standards and technology, … that the statement was false when she read and relied on it, and … that she would not have made the purchase (or that she would have negotiated for a lower price) but for the misrepresentation.” The court concluded that plaintiff’s alleged injury — the very purchase induced by the misrepresentation — was “fairly traceable to LinkedIn’s conduct because LinkedIn made the misrepresentation ….”

These cases underscore that privacy policies and end-user agreements will be subject to increasingly intense scrutiny in the event of a data breach. Indeed, the language of those agreements may very well become pivotal in determining whether claims survive the pleadings stage. It is for this reason that companies should now examine their existing privacy policies and end-user agreements with a critical eye to determine whether they likewise might be vulnerable to misrepresentation and omission-style claims.

First, policies should be examined with regard to any affirmative statements about the company’s data protection practices. What statements are made in those policies regarding the handling of consumer data? Do they promise more than intended, or more that can be delivered, and how might those statements appear to the average consumer? In this regard, companies should never assume that their policies will not be read or will not impact a purchasing decision. As the LinkedIn case made clear, the mere allegation that plaintiff relied on a written privacy policy in subscribing to LinkedIn’s service was sufficient to constitute a legally-cognizable claim. For better or worse, companies must assume that even the most obscure elements of its policies will impact consumer behavior and potentially give rise to such claims.

Second, companies should look beyond the language used in written policies and examine the actual practice of the company in providing security. Policy language that is clear and direct may nevertheless become misleading when compared against what the company actually does. If the company does not provide the very same level of security set forth in its written policy, or attempts to provide it by means that differ from those stated in its policy, one can be sure that those differences will be exploited by plaintiffs’ counsel. Therefore, if a careful assessment reveals discrepancies between the written policy and actual practice, companies should either revise the policy to conform as much as possible to their practice, or else revise the practice to conform to the policy.

Third, what is not stated in the company’s privacy policies and end-user agreements is just as important as what is stated explicitly. For instance, in the Sony case, the court found that plaintiffs had sufficiently pled fraud-based “omission” claims under California law. Those claims included allegations that Sony omitted material facts regarding the security of its network, including allegations that it failed to install and maintain firewalls and utilize industry-standard encryption. Any review of policy language, therefore, must include consideration of whether the policy, as written, paints an incomplete picture of the company’s actual capabilities or practices. Again, a candid assessment of the company’s day-to-day operations may reveal that additional disclosures should be made to avoid potentially misleading the consumer.

Fourth, and perhaps most importantly, companies should embark on a deliberate program of auditing written policies on a regular basis. Actual day-to-day operations may have a tendency to slip away from the policy over time, or may demonstrate that the language of the policy is unworkable or outdated. In either case, regularly scheduled formal audits may help to identify potential issues and give the company an opportunity to prevent gaps from developing between policy language and its practices.

Ultimately, no privacy policy or end-user agreement may ever be so airtight as to preclude claims such as misrepresentation, but there are common sense steps a company can take to minimize its risk. Further, given the recent traction plaintiffs have been gaining with these claims in court, it is imperative that companies engage knowledgeable counsel to participate in the review, revision or creation of well-written policies that not only accurately capture existing practices, but deter plaintiff’s counsel from targeting the company in the first place.